Apple released macOS 14 Sonoma this week, and on top of the numerous consumer facing features, there are also a number of interest to MacAdmins.
• What’s new for enterprise in macOS Sonoma
While there are many improvements to features like Declarative Device Management (DDM) and MDM, one of the most interesting to me only got a short mention with no details.
Automated Device Enrollment can be enforced after Setup Assistant.
This feature, which I’m calling Retroactive Automated Device Enrollment, was announced during WWDC and I extensively tested it during the beta cycles.
I think there is some amazing potential here. Read on for details…
Automated Device Enrollment (ADE) is the free Apple service which enables zero touch deployment. Using Apple Business Manager, devices can be assigned to MDM servers automatically or manually. Users will be forced to enroll during Setup Assistant if they are connected to the internet.
The ability to enforce this enrollment has gotten better each of the past few years.
macOS 12 Monterey and earlier
In earlier versions of macOS, end users could easily avoid Automated Device Enrollment. If they were not connected to the internet while going through Setup Assistant they could begin using the Mac without enrolling in MDM.
While macOS would prompt them to enroll later via Notification Center banners, these could easily be ignored indefinitely.
macOS 13 Ventura
Mac computers registered to an organization must connect to a network during Setup Assistant after being erased or reset.
Apple begin to close this gap last year in macOS Ventura.
Unfortunately this feature is not enabled when computers ship from the factory and only takes effect after the Mac has connected to the internet for the first time.
I’ll have a new post about how we workaround this limitation shortly and will add the link here…
macOS 14 Sonoma
Apple has taken another great step forward in macOS Sonoma. Instead of the small Notification Center banner, users now get a full screen dialog that can’t be ignored.
The “Not now” option can be used to defer the MDM enrollment, but only for eight hours. After that time expires the Mac is basically useless until the user complies.
Experience
When the new feature is first activated, users will see the above full screen dialog. If they click “Not now” it will disappear and not automatically reappear for eight hours.
During this time System Settings will have an update available notification. When users open System Settings they will see a notification to Enroll in Remote Management. Clicking the notification will open a small prompt.
Choosing Enroll launches the full screen dialog while selecting Later dismisses the dialog.
If the user has chosen to defer, macOS will prompt the user again after eight hours. However this time the “Not now” option is gone and the user must enroll to continue using the Mac.
- After clicking Enroll the user will need to authenticate as an administrator.
- If enabled on your MDM, the user will need to authenticate to continue enrollment.
- The enrollment profile will be installed.
- Enrollment will complete and the user can quit the full screen dialog and continue working.
Differences from Setup Assistant
Unlike ADE during Setup Assistant, only the enrollment profile will be installed before the user is returned to the desktop. This means they will be able to continue working while additional configuration profiles and apps are installed in the background.
This experience may not be what you expect and should be tested in your environment.
Automatic triggering
Users with an unmanaged computer that is assigned to an MDM in ABM are the most likely to see this new experience automatically.
Primarily these are users who accidentally or purposefully were not connected to the internet during setup in the past and have ignored the older style alerts.
This new dialog should be displayed about one hour after completing the upgrade to macOS Sonoma.
This is a change from the beta period when the dialog would be activate almost immediately.
Manual triggering
Just as in past versions of macOS, the prompt to enroll can be triggered with either the sudo profiles renew -type enrollment or sudo profiles -N commands.
The user experience will be the same and the eight hour timer will start after execution.
These commands also provide the ability to trigger the full screen dialog additional times before the eight hour timer expires. The user will be able to select “Not now” on each of these additional triggers.
MDM Migrations
One place I see this being particularly useful is MDM migrations. Changing MDM servers has always been a huge undertaking. It requires every end user to take action and could potentially leave devices unmanaged.
Up until now this required using tools like Universal MDM Approval Dialog (UMAD) or custom workflows with Swift Dialog to encourage users to complete the necessary steps.
However this process can be greatly simplified with the new Retroactive Automated Device Enrollment in macOS Sonoma.
Now users can be prompted with the native macOS dialog and then forced to enroll eight hours later. This can be accomplished with a script and LaunchDaemon and no need to ship a GUI application.
I’m looking forward to seeing how this new feature is put to use!
More testing needed
There are a few scenarios I haven’t had time to test yet:
- Automatic triggering after MDM assignment change and unenrollment
- With an MDM enrolled computer running macOS Sonoma;
- Change the MDM assignment in ABM;
- Unenroll the computer from the current MDM;
- Will macOS automatically prompt for re-enrollment based on the changed MDM assignment?
- Automatic triggering if the Mac was not assigned to MDM originally
- Un-assign the Mac from the MDM server in ABM;
- Clean install macOS Ventura and setup without ADE;
- Assign the Mac to an MDM server in ABM;
- Upgrade to macOS Sonoma;
- Will macOS automatically prompt for enrollment?
- Standard user experience
- Is there a way to leverage this new functionality with standard, non-admin, local users?
I’ll update this post when I have had a chance to test these. If you already have, please share your experiences in the comments.
Hi Kevin,
Thanks for the Blog post about this. I haven’t seen too much about this on any other site. One issue I did have is triggering the enrollment in Sonoma. Let me explain my use case real quick. I am migrating from one MDM server to the next programmatically using a shell script locally installed on the Mac to trigger the profiles command. I cannot get the enrollment window to pop up using the script. If I trigger the command from terminal on the Mac it pops up with out issue. I am stumped. If I’m not mistaken I believe this was a use case you were wanting to try yourself. Hopefully I can help with the testing on this Any thoughts would be much appreciated.
Best regards,
Cameron
We are actually in the middle of an MDM migration right now using this method and it works great. I plan to write it up once we get further along in the process.
One thing to note is that your users must be admins to enroll, so I believe the dialog will not display if a standard account is logged in.
Hi Kevin,
We are also going through an MDM migration and as Cameron mentioned, using the profiles command in a local script does not prompt the window. The local user is an admin, and I have tried running “sudo profiles -N” as the user in script, as well as root. No luck, if I run as the user, logs show that the command is waiting for a password input. If I run it as root, no prompt is shown at all. Would love to hear what your approach is.
Thanks!
The script executed by our LaunchDaemon runs the command as:
launchctl asuser [userid] profiles renew -type enrollment
Thanks Kevin, I’ll try that out
Hi Kevin,
Our users are all admins on their endpoints but the aren’t seeing the retroactive enrollment screen when triggered by a script that is forced by a launch daemon. One I am doing is executing jamf helper pop ups to guide the user through the retroactive enrollment process. DO you think this may be causing the retroactive enrollment screen to not pop up when forcing it via script?
Best regards,
Cameron
The script executed by our LaunchDaemon runs the command as:
launchctl asuser [userid] profiles renew -type enrollment
Kevin! You are a gem! The launchctl command worked like a charm. Thank you for you help on this.
Best regards, Cameron
I still don’t see this reliably occurring, has anyone seen otherwise?
Pat, do you mean you aren’t seeing it automatically trigger after upgrades to Sonoma? Are the users standard or admin?
Correct, I’ve removed my management profile from a test mac (running Sonoma, my user is admin) and have not seen this prompt organically myself. Granted, it’s a test device so it’s not actively powered on for most of the day.
All of that said, I actually just got a ticket across my plate from a user who DID get prompted to enroll and is now encountering a vague error when proceeding through the workflow: “Enrolling with management server failed. Unexpected error (HTTPStatus:403).” Feels like a bit of a one-off though, I don’t believe that’s a flaw inherent to this process.
Thanks Kevin!
Ah gotcha. This will only trigger organically after an upgrade to Sonoma from a lower major macOS version. If the Mac is already running Sonoma and is unenrolled from MDM nothing will happen unless you trigger it yourself.
Brilliant thats exactly what i have seen. It shows on 1 machine (upgrade from ventura to sonoma) but not on 2 others (on sonoma already)
Thanks for explaining the odd behavior.
I was prompted to enroll shortly after the Sonoma update. I deferred originally and then 8 hours later was brought to the screen without a “not now” option. I held the power button down on my mac to turn the computer off and am back up and running 2 hours later, without having been prompted again. Seems to be a temporary bypass. Also wondering if disconnecting from the internet when prompted is: 1. even possible, given functionality is limited when the prompt comes up. 2. Allow users to bypass the prompt.
Thanks for sharing your experience Bill.
I tested the power-off scenario myself and saw the prompt almost immediately after the reboot. I know others have seen similar based on discussions in the MacAdmins Slack.
I’m sure there are still some edge cases around this that need to be identified and reported to Apple though.
Thanks for the great article Kevin. I am seeing an issue with Sonoma , I am on 14.1.2. Admin authentication pop up for some reason appearing into background. causing machine to be in retrieving perpetually. prompt not appearing at front and stays in background.
This is not something we’ve seen here that I’m aware of.
Thank you for the highly informative post! Been trying to get machines to perform the ADE (already assigned in ABM) and sometimes it just doesn’t want to do it.
Much appreciated.
So it is working on some computers but not others?
Automatic triggering after MDM assignment change and unenrollment
With an MDM enrolled computer running macOS Sonoma;
Change the MDM assignment in ABM;
Unenroll the computer from the current MDM;
Will macOS automatically prompt for re-enrollment based on the changed MDM assignment?
———————-
I tested this, moving a device from Jamf to Addigy in ABM. Nothing happens automatically, I waited for 2 hrs and even restarted the computer.
Yep, we tested that pretty quickly after I posted this. We’re using a script to trigger the dialog.
This happened to me this morning, the enrolment screen just appeared and quickly pressed the “not now” button, but shortly after that my laptop shut down unexpectedly. When I attempted to turn it back on, there was no response or interaction. My Macbook is just dead now
Btw the enrolment screen shows the message of ” this Macbook is owned by UBER”
Can this problem be fixed?
You’ll need to contact Uber as it sounds like you are in possession of a computer they own.